CVE-2025-54395
📋 TL;DR
Netwrix Directory Manager (formerly Imanami GroupID) versions 11.0.0.0 through 11.1.25162.01 contain a cross-site scripting (XSS) vulnerability in authentication configuration data. This allows attackers to inject malicious scripts that execute in users' browsers when viewing configuration pages. Organizations using vulnerable versions of this identity management software are affected.
💻 Affected Systems
- Netwrix Directory Manager (formerly Imanami GroupID)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies or credentials, potentially gaining administrative access to the Directory Manager, leading to privilege escalation and unauthorized identity management operations.
Likely Case
Attackers could perform session hijacking against administrators, leading to unauthorized access to the Directory Manager interface and potential manipulation of user accounts or group memberships.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized, preventing execution in user browsers.
🎯 Exploit Status
Exploitation requires the ability to modify authentication configuration data (typically requiring administrative access) and for victims to view the affected configuration pages. The vulnerability is in how this data is displayed without proper sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.1.25162.02
Vendor Advisory: https://community.netwrix.com/t/adv-2025-015-critical-vulnerabilities-in-netwrix-directory-manager-formerly-imanami-groupid-v11/17192
Restart Required: No
Instructions:
1. Download version 11.1.25162.02 or later from Netwrix support portal. 2. Run the installer on the Directory Manager server. 3. Follow the upgrade wizard. 4. Verify the version after completion.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation on authentication configuration fields to reject or sanitize script tags and JavaScript content.
Not applicable - requires code changes
Output Encoding
allApply proper HTML encoding to all user-controlled data displayed in the authentication configuration pages.
Not applicable - requires code changes
🧯 If You Can't Patch
- Restrict access to Directory Manager web interface to only trusted administrators using network segmentation and firewall rules.
- Implement Content Security Policy (CSP) headers to restrict script execution from untrusted sources in the Directory Manager interface.
🔍 How to Verify
Check if Vulnerable:
Check the Directory Manager version in the web interface under Help > About or via the installed programs list in Windows Control Panel.Check Version:
Not applicable - check via web interface or Windows Programs and FeaturesVerify Fix Applied:
Verify the version is 11.1.25162.02 or later. Test by attempting to inject basic XSS payloads into authentication configuration fields and verifying they are properly sanitized when displayed.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to authentication configuration settings
- Multiple failed login attempts followed by configuration changes
- Administrative sessions from unexpected IP addresses
Network Indicators:
- HTTP requests containing script tags or JavaScript in authentication configuration parameters
- Unusual traffic patterns to Directory Manager web interface
SIEM Query:
source="netwrix-directory-manager" AND (event_type="config_change" AND config_field="authentication" AND (value CONTAINS "<script>" OR value CONTAINS "javascript:"))